Skip to content

feat(aws): Add GuardDutyDetector to AWS module #1765

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 13 commits into
base: master
Choose a base branch
from
Open

feat(aws): Add GuardDutyDetector to AWS module #1765

wants to merge 13 commits into from
+357 −3

Conversation

priyanshuharshbodhi1
Copy link

Summary

This PR adds GuardDuty Detector support to AWS modules

Related issues or links

(#1477)

Checklist

Provide proof that this works (this makes reviews move faster). Please perform one or more of the following:

  • Update/add unit or integration tests.
  • Include a screenshot showing what the graph looked like before and after your changes.
  • Include console log trace showing what happened before and after your changes.

If you are changing a node or relationship:

If you are implementing a new intel module:

cubic-dev-ai[bot]
cubic-dev-ai bot reviewed Aug 4, 2025
View reviewed changes
Copy link
Contributor

@cubic-dev-ai cubic-dev-ai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

cubic analysis

1 issue found across 6 files • Review in cubic

React with 👍 or 👎 to teach cubic. You can also tag @cubic-dev-ai to give feedback, ask questions, or re-run the review.

@priyanshuharshbodhi1 priyanshuharshbodhi1 force-pushed the Feat-add-guardduty-to-AWS branch 3 times, most recently from 4bb553d to 11937a4 Compare August 4, 2025 02:43
d-aggarwal
d-aggarwal requested changes Aug 4, 2025
View reviewed changes
Copy link
Collaborator

@d-aggarwal d-aggarwal left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the contribution! Left a few suggestions — feel free to make these updates while waiting for the final review.

@priyanshuharshbodhi1
Copy link
Author

@d-aggarwal @achantavy , PTAL! I have made some updates.

@priyanshuharshbodhi1
feat: Add GuardDutyDetector data model schema
48b268d 
Signed-off-by: Priyanshu Harshbodhi <[email protected]>
@priyanshuharshbodhi1
test: Add mock data for GuardDuty detectors
accb315 
Signed-off-by: Priyanshu Harshbodhi <[email protected]>
@priyanshuharshbodhi1
test: Update test data to include GuardDuty detector mock responses
eab197a 
Signed-off-by: Priyanshu Harshbodhi <[email protected]>
@priyanshuharshbodhi1
feat: Implement GuardDuty detector sync functionality
40888e4 
Signed-off-by: Priyanshu Harshbodhi <[email protected]>
@priyanshuharshbodhi1
test: Add unit tests for GuardDuty detector transformation
9f06f6e 
Signed-off-by: Priyanshu Harshbodhi <[email protected]>
@priyanshuharshbodhi1
docs: Update AWS schema documentation for GuardDuty detector
b2f85bb 
Signed-off-by: Priyanshu Harshbodhi <[email protected]>
@priyanshuharshbodhi1
fix: Include DetectorId field in detector details
7cbc76d 
Signed-off-by: Priyanshu Harshbodhi <[email protected]>
@priyanshuharshbodhi1
update: remove excessive comments
37dd396 
Signed-off-by: Priyanshu Harshbodhi <[email protected]>
@priyanshuharshbodhi1
style: Apply lint fixes from pre-commit hooks
69d58eb 
Signed-off-by: Priyanshu Harshbodhi <[email protected]>
@priyanshuharshbodhi1
refactor: Address maintainer feedback
9840942 
- Remove try/except block from get_detector_details (decorator handles exceptions)
- Move ARN construction logic from load to transform function
- Update transform_detector_details to accept aws_account_id parameter
- Remove separate detectors.json file as suggested
- Update tests to work with new function signatures

Signed-off-by: Priyanshu Harshbodhi <[email protected]>
@priyanshuharshbodhi1 priyanshuharshbodhi1 force-pushed the Feat-add-guardduty-to-AWS branch from 24ac22f to 9840942 Compare August 5, 2025 17:47
achantavy
achantavy approved these changes Aug 5, 2025
View reviewed changes
Copy link
Contributor

@achantavy achantavy left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the help, almost there, please add integration tests and if possible a console log showing that you ran this. Let us know if you are not able to run this yourself and we'll find another way to test.

cartography/intel/aws/guardduty.py
Comment on lines +330 to +340
detector_details = get_detector_details(boto3_session, region, detector_ids)
transformed_detectors = transform_detector_details(
detector_details, region, current_aws_account_id
)
load_guardduty_detectors(
neo4j_session,
transformed_detectors,
region,
current_aws_account_id,
update_tag,
)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Let's move this out to a sync_detectors_function() and then call it from within sync().

achantavy
achantavy requested changes Aug 5, 2025
View reviewed changes
Copy link
Contributor

@achantavy achantavy left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

oh oops meant to actually hit 'request changes'

@priyanshuharshbodhi1
feat: Add integration tests and extract sync_detectors_function()
ca4a085 
- Extract sync_detectors_function()
- Add comprehensive integration tests
- All tests passing for both unit and integration coverage

Signed-off-by: Priyanshu Harshbodhi <[email protected]>
@priyanshuharshbodhi1
update: comments for tests
d9008d9 
Signed-off-by: Priyanshu Harshbodhi <[email protected]>
@jychp jychp changed the title feat: Add GuardDutyDetector to AWS module feat(aws): Add GuardDutyDetector to AWS module Aug 13, 2025
@jychp jychp added the module:AWS Related to cartography's AWS module label Aug 13, 2025
achantavy
achantavy requested changes Aug 13, 2025
View reviewed changes
Copy link
Contributor

@achantavy achantavy left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hey, looking forward to having this merged in. The tests are failing, can you please address? Also left a comment on removing an overly verbose test

tests/integration/cartography/intel/aws/test_guardduty.py
Comment on lines +218 to +227
# Test outcomes - verify ARN construction is correct
detectors = neo4j_session.run(
"MATCH (d:GuardDutyDetector) RETURN d.detector_id as detector_id, d.arn as arn"
).data()

for detector in detectors:
expected_arn = f"arn:aws:guardduty:{TEST_REGION}:{TEST_ACCOUNT_ID}:detector/{detector['detector_id']}"
assert (
detector["arn"] == expected_arn
), f"ARN mismatch for detector {detector['detector_id']}"
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Remove this test. It's overly verbose and doesn't use the check_nodes() pattern

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@cubic-dev-ai cubic-dev-ai[bot] cubic-dev-ai[bot] left review comments

@achantavy achantavy achantavy requested changes

@d-aggarwal d-aggarwal d-aggarwal requested changes

Requested changes must be addressed to merge this pull request.

Assignees

@achantavy achantavy

Labels
module:AWS Related to cartography's AWS module
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@priyanshuharshbodhi1 @achantavy @d-aggarwal @jychp